Google Fixes Twin Chrome Bugs

Google has recently said on its Chrome blog that it developed two security patches to fix vulnerabilities in its XML and JavaScript engines.

The blog posting stated that a security hole in the V8 JavaScript tool could allow a malicious JavaScript, added to an online page, to intercept illegitimate memory after evading anti-malware solutions. As a result, unauthorized data could be disclosed to a hacker, or he could execute arbitrary code.

Further, the other vulnerability impacts XML. Web-pages that employ XML could lead to the crash down of a tab process in Google's Chrome. A specially crafted XML could kick start a use-after-free circumstance. However, other tabs remain uninfluenced, stated Jonathan Conradt, Engineering Program Manager at Google, as reported by ComputerWeekly on August 26, 2009.

Chris Evans, Information Security Engineer at Google, states that none of the two vulnerabilities has been given a "critical" rating as Google Chrome employs a sandbox that stops direct execution of arbitrary software on an end-user's computer.

Moreover, Google has also revised Chrome's method of dealing with SSL certificates. Henceforth, the browser wouldn't link up with HTTPS websites having certificates, which are issued with the help of MD4 and MD2 hashing algorithms. Google also said - the algorithms that could be compromised with collision attacks are potentially feeble since with them an attacker could create a fake website pretending to be a legitimate HTTPS site.

The credit for unearthing the security hole in the V8 JavaScript tool of Chrome goes to Mozilla Security.

The security researchers stated that the team of security professionals at Mozilla were probably examining other open-source web-browsers and their own Firefox releases to find out if they had the same flaws. However, a more feasible anecdote was that Mozilla or Google tested a Firefox flaw derivative that Mozilla's team had discovered, on Chrome and found the identical outcomes of detrimental nature.

Meanwhile, to stay protected, users running Chrome were suggested to update the browser with its latest version.